这是本人第一篇博客,也算是自己的尝试,以前学习东西,一般都是以文档的方式记录。文档有时候容易丢失,所以开始尝试用博客记录学习历程。毕业在即,在此记录毕设的一部分内容。
内容:Ubuntu下搭建L2TP VNP服务器(校园网Intranet VPN)
1 查看服务器主机网络信息
:$ifconfig eth0Linkencap:EthernetHWaddrfa:16:3e:a0:64:0c inetaddr:172.16.0.61Bcast:172.16.255.255Mask:255.255.0.0(IP地址)
2 测试服务器主机能否访问Internet
此步骤主要是验证服务器主机是否能作为VPN的网络出口。
:~$pingbaidu.com PINGbaidu.com(111.13.101.208)56(84)bytesofdata. 64bytesfrom111.13.101.208:icmp_seq=1ttl=45time=52.2ms 64bytesfrom111.13.101.208:icmp_seq=2ttl=45time=53.1ms 64bytesfrom111.13.101.208:icmp_seq=3ttl=45time=56.9ms
由终端结果可知,服务器主机是可以ping通Internet的,故当VPN客户端(校园网中的I区即Internet区)连接到VPN服务器(校园网中的Non-I区即非Internet区)时,是可以实现VPN隧道而访问互联网的。
3 切换到root用户,获得root权限
ubuntu@XXX:~$sudo-i sudo:unabletoresolvehostzhantengfei-vpn root@XXX:~#
4安装L2TP
安装中若遇到unable to locate package可以使用apt-get update解决,若实在不行也可以使用apt-get upgrade解决,更新源,再安装。
安装L2TP
:~#sudoapt-getinstallopenswanpppxl2tpd-y sudo:unabletoresolvehostzhantengfei-vpn Readingpackagelists...Done Buildingdependencytree ............
5 配置相关文件
:~#vim/etc/ipsec.conf//使用vim命令查看相关文件,使用ipsec进行加密
编辑好配置文件后“ESC+:wq”保存,以下为编辑后的ipsec.conf
configsetup #Donotsetdebugoptionstodebugconfigurationissues! #plutodebug/klipsdebug="all","none"oracombationfrombelow: #"rawcryptparsingemittingcontrolklipspfkeynattx509dpdprivate" #eg: #plutodebug="controlparsing" #Again:onlyenableplutodebugorklipsdebugwhenaskedbyadeveloper # #enabletogetlogsper-peer #plutoopts="--perpeerlog" # #Enablecoredumps(mightrequiresystemchanges,likeulimit-C) #Thisisrequiredforabrtdtoworkproperly #Note:incorrectSElinuxpoliciesmightpreventplutowritingthecore dumpdir=/var/run/pluto/ # #NAT-TRAVERSALsupport,seeREADME.NAT-Traversal nat_traversal=yes #excludenetworksusedonserversidebyadding%v4:!a.b.c.0/24 #ItseemsthatT-MobileintheUSandRogers/FidoinCanadaare #using25/8as"private"addressspaceontheir3Gnetwork. #ThisrangehasnotbeenannouncedviaBGP(atleastupto2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 #OEisnowoffbydefault.Uncommentandchangetoon,toenable. oe=off #whichIPsecstacktouse.autowilltrynetkey,thenklipsthenmast protostack=netkey force_keepalive=yes keep_alive=1800 connL2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT leftnexthop=%defaultroute rightnexthop=%defaultroute connL2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=172.16.0.61//设置为服务端的外网ip地址 leftprotoport=17/1701 right=%any rightprotoport=17/%any dpddelay=40 dpdtimeout=130 dpdaction=clear #Usethistologtoafile,ordisableloggingonembeddedsystems(likeopenwrt)
:/etc#viipsec.secrets #include/var/lib/openswan/ipsec.secrets.inc#注意这一行要注释掉 172.25.11.223%any:PSK"1110005440"//设置为服务器内网的地址,并设置密码(可以自定义设置) include/var/lib/openswan/ipsec.secrets.inc
:~#vi/etc/sysctl.conf #/etc/sysct.conf #onlyvaluesspecificforipsec/l2tpfunctioningareshownhere.mergewith #existingfile net.ipv4.ip_forward=1 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.icmp_ignore_bogus_error_responses=1
5.4 执行如下脚本
forvpnin/proc/sys/net/ipv4/conf/*;doecho0>$vpn/accept_redirects;echo0> $vpn/send_redirects;done sysctl-p//使修改生效
:~#vi/etc/xl2tpd/xl2tpd.conf
写入以下信息
authfile=/etc/ppp/chap-secrets port=1701 [lnsdefault] iprange=10.0.0.10-10.0.4.254 localip=10.0.0.9 refusechap=yes refusepap=yes requireauthentication=yes name=L2TPVPN pppdebug=yes pppoptfile=/etc/ppp/options.xl2tpd lengthbit=yes
:~#vi/etc/ppp#vioptions.xl2tpd
#require-pap #require-chap #require-mschap ipcp-accept-local ipcp-accept-remote require-mschap-v2 ms-dns114.114.114.114 ms-dns8.8.4.4 asyncmap0 auth crtscts lock hide-password modem debug namel2tpd proxyarp lcp-echo-interval30 lcp-echo-failure4 mtu1400 noccp connect-delay5000 http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html
:~#vi/etc/ppp/chap-secrets
#SecretsforauthenticationusingCHAP #clientserversecretIPaddresses Spencerl2tpd1110005440*
5.8最后配置防火墙
@H_502_259@#iptables -t nat -A POSTROUTING -s 10.0.0.0/22 -o eth0 -j MASQUERADE@H_502_259@ //决定客户端是否可访问Internet
iptables--tablenat--appendPOSTROUTING--jumpMASQUERADE iptables-tnat-APOSTROUTING-s10.0.0.0/22-oeth0-jMASQUERADE iptables-AFORWARD-mstate--stateRELATED,ESTABLISHED-jACCEPT iptables-IFORWARD-s10.0.0.0/22-jACCEPT iptables-IFORWARD-d10.0.0.0/22-jACCEPT iptables-AFORWARD-jREJECT iptables-AINPUT-pudp-mstate--stateNEW-mudp--dport1701-jACCEPT iptables-AINPUT-pudp-mstate--stateNEW-mudp--dport500-jACCEPT iptables-AINPUT-pudp-mstate--stateNEW-mudp--dport4500-jACCEPT /etc/rc.d/init.d/iptablessave /etc/rc.d/init.d/iptablesrestart
其中这两句写入/etc/rc.local:
forvpnin/proc/sys/net/ipv4/conf/*;doecho0>$vpn/accept_redirects;echo0>$vpn/send_redirects;done iptables--tablenat--appendPOSTROUTING--jumpMASQUERADE
5.9验证配置是否成功:
:~#ipsecverify
CheckingifIPsecgotinstalledandstartedcorrectly: Versioncheckandipsecon-path[OK] OpenswanU2.6.49/K3.13.0-65-generic(netkey) See`ipsec--copyright'forcopyrightinformation. CheckingforIPsecsupportinkernel[OK] NETKEY:TestingXFRMrelatedprocvalues ICMPdefault/send_redirects[OK] ICMPdefault/accept_redirects[OK] XFRMlarvaldrop[OK] Hardwarerandomdevicecheck[N/A] Twoormoreinterfacesfound,checkingIPforwarding[OK] Checkingrp_filter[OK] Checkingthatplutoisrunning[OK] PlutolisteningforIKEonudp500[OK] PlutolisteningforIKEontcp500[NOTIMPLEMENTED] PlutolisteningforIKE/NAT-Tonudp4500[OK] PlutolisteningforIKE/NAT-Tontcp4500[NOTIMPLEMENTED] PlutolisteningforIKEontcp10000(cisco)[NOTIMPLEMENTED] CheckingNatandMASQUERADEing[TESTINCOMPLETE] Checking'ip'command[OK] Checking'iptables'command[OK]
@H_502_259@ 以上只要不出现Failed就行,由于L2TP使用1701端口,是UDP传输,故关于TCP的项无所谓
@H_502_259@最终查看连接或者调试错误时查看日志 /var/log/syslog :
tail-f/var/log/syslog
6 客户端连接VPN服务器
@H_502_259@首先需要连接到内网,使客户机与服务器处于同一个LAN中。
@H_502_259@
@H_502_259@由于我在安装Openswan时,使用的是证书安装,所以在客户端连接时,需要使用L2TP/IPsec证书连接。
7 访问Internet
连接到VPN服务器后,可以访问因特网。
References:
1)http://lesca.me/archives/how-to-setup-l2tp-over-ipsec-on-ubuntu.htm l#comments